Category Archives: Parasites

Bundling

Bundling is one of the most common ways parasites are spread. It works like this: you install a piece of software you think looks good, and it invites some of its friends onto your computer behind your back.

When you run any piece of software, remember that it has the capability to do anything you can do—up to and including deleting all your files. Only install software from authors you trust, and look out for the warning signs of untrustworthy authors.

* Don’t just click ‘Next’

Some installers may have a screen giving notice of other (usually undesirable) programs they will be installing at the same time as the software you wanted. Sometimes there may even be an option not to install the software—an ‘opt-out’ install. (‘Opt-in’ installs are very uncommon.)

If you just click Next-Next-Next to get through the installer as quickly as possible, you will probably miss this and end up with unwanted software. Take your time.

* Read the EULA

Most software has an ‘End User Licence Agreement’ or ‘Terms of use’. Often this will be shown to you as you install the software. Read it. Often there will be some kind of warning there if the software plans to install parasites.

Look out for ‘agreements’ for other pieces of software, anything to do with ‘ad-supported’ components, installation of ‘third party’ software, ‘toolbars’, ‘enhancement technologies’ and so on. Saying you have to be at least 13 to use the software is a dead giveaway that it will be collecting privacy-sensitive information; saying you have to be 18 is an indicator that porn will likely be promoted.

* Understand the EULA

Many licence agreements are extremely long, and contain language that is unclear. Additionally some installers display this information in an unnecessarily small scrolling box, to make it difficult to review. (In some cases, you may be able to copy-and-paste this text into Notepad to read it more easily.)

If you don’t understand what the EULA says, or if it’s just too impractically long to read, simply don’t install the software. An unclear or gargantuan EULA is trying to hide something from you, and it’s probably parasites.

* Don’t trust the EULA

Just because the licence agreement seems clean, that’s no proof the software isn’t going to stab you in the back anyway. You can opt out of all the options there are, and still get hit by other parasites they ‘forgot’ to mention; some installers start loading parasites before even reaching the EULA screen. A lot of parasitic software is installed without any notice whatsoever.

In many countries it remains untested whether ‘click-through’ licences have any legal weight at all anyway. (They are not a real contract, and it is unclear whether simply running a program constitutes ‘copying’, which would require some sort of licensing scheme under copyright law.)

* Avoid heavily-promoted free software

Think about it: if a company wants you to use their software so much that they’re willing to spend money advertising it to you, they must get some kind of gain out of doing so.

In some cases, the software might be a freebie to promote the company and its other products. In many more cases, the software earns money by installing parasites.

* Avoid junk software

Some of the most heavily-promoted software is trivial or pointless in nature, aimed at users too inexpert to recognise this. Very often such software—worthless in itself—is created solely as bait, to install the parasites that come with it.

For example: the many programs to correct the computer’s clock. Windows XP already has this feature built-in and turned on by default; for other operating systems there are a thousand other tiny programs to do it using the standard internet NTP protocol, none of which feel the need to install parasites. (And anyway correcting the small amount of drift in a modern computer’s hardware clock by hand every six months is not really much of a hardship.) Yet adverts all over the web are trying to convince you that your clock is probably wrong and desperately needs fixing.

Other common examples include weather monitors, smiley icons, IM avatars and mouse pointers, web form-filling and screensavers. Beware also ‘snake oil’ products making technically questionable claims, such as software to prevent crashes, increase memory size or network speed, or to speed up file-sharing programs.

(Peer-to-peer file-sharing programs are themselves very often infested with large quantities of the worst parasites—take care.)

* Prefer “Free Software” to “FREE DOWNLOAD!!”

The Free Software and Open Source movements make the full source code of their software available. This makes it difficult to hide undesirable behaviour such as spying or advertising from its users. So Free and Open Source Software is generally more likely to be free of parasites.

Ensure you download from the software’s official project site. Some parasite-laden downloads have masqueraded as well-known open-source applications in the past, or implied they were open-source without actually being so (eg. openwares.org).

* Be sceptical

A company’s own assertion that their software contains “no spyware” is next to worthless. Aside from the possibility that they are simply lying, there are many ways the definition of spyware can be twisted to exclude whichever parasites they want to install.

If you’re not sure, do some research. Do a search for the program’s name together with ‘spyware’, ‘adware’ or ‘parasite’. See what people are saying about it.
Browsing

In theory, browsing a web page should be safe; the web was deliberately designed not to include active content. In practice however, poor security and user interface design make web browsing potentially dangerous.

Installation through the web browser is the other major source of parasites, through both ‘security hole exploit’ bugs that let software install automatically and tricks that mislead the user into allowing a download they didn’t want.

* Refuse unrequested downloads

When a prompt appears asking you whether you want to download a plugin, set your home page or give the web site extra permissions, close the window or choose ‘No’ unless you specifically asked for the download and completely trust the web site (including any of its associates such as advertising providers).

Some downloaders may respond by reloading the page and opening a window claiming that you must accept the download to view the page. Such high-pressure tactics are characteristic of the worst parasites. Keep choosing ‘No’ and try hitting the Escape key to stop the page reloading. In the worst case you may have to open the Task Manager (Ctrl-Alt-Delete) and end the browser process to get out of this trap.

* Distrust Authenticode

Authenticode is Microsoft’s mechanism for code-signing. A company can put its name on a piece of software using unforgeable cryptographic techniques. When ActiveX download windows appear, this company name is then shown to the user.

Unfortunately in practice Authenticode is almost completely worthless. The companies in charge of distributing certificates for code-signing (the ‘roots’, such as Thawte) routinely give out certificates with misleading company names like ‘CLICK YES TO CONTINUE’ or ‘MSN Technologies’ (not connected to Microsoft’s MSN), and in the case where companies are caught exploiting security holes or signing trojan code, they refuse either to revoke the certificates or to reveal the real contact details of the company in question. In one memorable occasion, the Verisign root was lax enough to accidentally release Microsoft’s own code-signing certificates.

Many downloader pages insist that the Authenticode popup means that the software is ‘safe’ or ‘approved by Microsoft’; in reality all it means is that the company that produced the software has enough money to buy a certificate.

* Secure your browser

Make sure you’re up-to-date on browser patches. For Internet Explorer, this can be done through the (alas often unreliable) interface at Windows Update; if you are using Windows XP this can be done automatically using ‘Automatic Updates’, which is on by default, if you trust it.

If you are using Internet Explorer on Windows XP, consider installing the XP Service Pack 2 update, which cuts down on unrequested ActiveX installer popups as well as working around a number of security bugs.

Consider locking down security settings. For Internet Explorer, disable ActiveX downloads until you need them, both in the Internet and the My Computer Zone (which is hidden by default), and set other sensitive options in the Internet Options->Security->Custom list to ‘Prompt’ instead of ‘Enable’. Alternatively, simply:

* Use a different browser

The vast majority of security hole exploits are aimed at Internet Explorer. This is partly because IE is (currently) the most widely-used browser, but, more than that, because its record of security holes is so very poor.

No web browser is 100% free of security problems, but the basic design of Internet Explorer, combined with Windows integration, make IE considerably riskier than most other browsers. Microsoft’s speed in fixing bugs has also been disappointing at times, some security-sensitive bugs going unfixed for several months. XP Service Pack 2 is a definite improvement, but no panacea.

You might still need to keep Internet Explorer around, for the occasional poorly-written site that only works on one browser (most notably Windows Update), but using an alternative browser for everyday web use reduces risk significantly; IE exploits can now be found all over the web, even on mainstream sites (most notably: CoolWebSearch).

Popular alternative browsers available for Windows include Firefox, Opera and the full Mozilla suite (from which Firefox evolved).

There are other ‘semi-alternative’ browsers for Windows, based on the Internet Explorer code. They can still be vulnerable to some if not all of its security holes; on the other hand they can be more compatible with poorly-designed web sites that do not work well in other browsers. Examples include Maxthon, AvantBrowser, Netcaptor, SlimBrowser and CrazyBrowser.

* Secure other browser-accessible software

If you have plug-ins like Sun Java or Flash installed, make sure they are also the latest versions. If you do not use them, uninstall them.

If you use Internet Explorer, installed ActiveX plug-ins can also be a rich source of security vulnerabilities. Some of them you will be able to see in the Downloaded Program Files folder (inside the Windows folder); delete any you don’t need.

* Look out for other people

If your computer is to be used by others—particularly children—who are naïve about computer security, limit their risk.

Lock down IE security settings, or, better, give them an alternative browser and hide IE. Give them a limited User account of their own so that any spyware they install can only compromise their account and not yours—if it will install under a restricted account at all.

* Consider other alternatives

It’s a bit of a drastic change to make just for the sake of avoiding parasites, but alternative operating systems are worth investigating if you are unsatisfied with Windows for other reasons too.

There are currently no parasites affecting the Mac, Linux or other Unix-derived operating systems. This is mostly because of the larger Windows user-base, but the other OSs do in general fare slightly better on desktop security, mostly because they don’t require that the user be logged in as an administrator at all times. Malicious code could still run, but shouldn’t be able to compromise the system as completely.

Description

IPInsight is a process or IE Browser Helper Object that monitors addresses entered into web forms, ostensibly to try to make a database of physical locations of IP addresses.

Variants

IPInsight/Sentry: installs a process Sentry.exe and datafile Sentry.ini in the Windows folder. This variant cannot be detected by the script at this site.

IPInsight/Ipinsigt: a reimplementation of the original Sentry as a BHO, provided by IPINSIGT.DLL in the Windows folder. This code is based on theTransponder parasite from Mindset Interactive; there is even a leftover message from Transponder/VX2 in the code about the software opening pop-up ads, which it doesn’t!

IPInsight also make connection monitoring software that is included in some ISP’s installation discs. This is not the same software as the ‘IPInsight’ parasite and is not detected by the script at this site.

Distribution

Bundled with Morpheus 2 and software from Blue Haven Media.

What it does

Advertising

No.

Privacy violation

Yes. Any address information you enter into a form using Internet Explorer is leaked to the IPInsight’s servers, along with a unique ID. Their privacy policy claims any house number sent is ’rounded’ so as not to pass a completely accurate address.

Security issues

Yes. Can silently download and install updates.

Stability problems

No.

Removal

Some installations of IPInsight/Ipinsigt have an entry in Add/Remove Programs, which removes the software from the current setup adequately.

However it leaves a copy behind in the ‘last known good setup’ which may reappear if you boot using this option. Delete the file IPINSIGT.DLL from the LastGood folder in the Windows folder, and IPINSIGT.PNF and IPINSIGT.inf from the LastGood\INF folder. Finally you can remove IPInsigt from the hidden ‘inf’ folder in the Windows folder to clean up.

Spybot Search & Destroy can remove IPInsight.

Manual removal

Sentry variant: open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘Sentry’ entry. Reboot Windows and delete Sentry.exe and Sentry.ini in the Windows folder.

Ipinsigt variant: open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\IPINSIGT.DLL"

Reboot Windows and delete IPINSIGT.DLL in the Windows folder. You can also delete the registry key HKEY_LOCAL_MACHINE\Software\IPInsight to clean up if you wish. Then see the LastGood removal instructions above.

Distribution

It can also be downloaded as a normal executable. The script at this site will not detect InternetWasher when it is installed this way.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary code from its controlling server, as a self-update feature.

This has also been used to install other parasites.

Stability problems

No.

Removal

A full installation should leave an entry for ‘Internet Washer Pro’ in the Control Panel’s Add/Remove Programs feature. Use this to remove the software, then restart and delete the ‘Internet Washer Pro’ folder in Program files.

Then open Downloaded Program Files in the Windows folder and delete the entry {421A63BA-4632-43E0-A942-3B4AB645BE51}.

A partial installation can result if the ActiveX installation gets started but does not complete. In this case there will likely be only the Downloaded Program Files entry to get rid of.

Manual removal

Open the registry (Start->Run->regedit) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘Internet Washer Pro’ entry. Restart the machine and you should be able to delete the ‘Internet Washer Pro’ folder in Program Files.

InternetOptimizer/Nem: as Iopti, but searches are hijacked to yoogee.com (a search site run by the makers of InternetOptimizer).

InternetOptimizer/Wsem: a larger version of the software, whose purpose is unclear.

InternetOptimizer/Crmrest: an ActiveX downloader control for InternetOptimizer.

Also known as

DyFuCA.

Distribution

May be installed by MoneyTree/DyFuCA, or the Crmrest variant. The latter poses as a comedy or porn video from the site movies-etc.com, and when allowed to install may forward a mail to all contacts in your Outlook address book, promoting movies-etc in your name.

What it does

Advertising

Yes. The ‘DyFuCA Active Alert’ component can open pop-up ‘alerts’ when directed by its controlling server.

Privacy violation

Suspected. The EULA at Internet Optimizer’s web site states the software may send all your browsing information back to its controllers. At the time of writing, however, this has not been seen to happen with the current version of the software.

Security issues

Yes. Can download and execute arbitrary unsigned code from its controlling server, as an update feature.

Stability problems

Unknown; some unclear user reports of it causing crashes.

Removal

Check the Control Panel’s Add/Remove Programs feature for ‘Active Alert’ and ‘Internet Optimizer’. If these entries are there, using both should result in InternetOptimizer’s correct removal. Afterwards, ensure MoneyTree/DyFuCA is no longer loaded.

Manual removal

For the Crmrest installer variant, open the Downloaded Program Files folder (inside the Windows folder) and remove the ‘Media Manager’ entry.

For other variants, open the Windows folder. You should be able to see a file ‘ioptiXXX.dll’ (Iopti variant), ‘nemXXX.dll’ (Nem variant) or ‘wsemXXX.dll’ (Wsem variant). The XXX differs for different versions; common versions are ‘iopti130.dll’, ‘nem207.dll’ and ‘wsem210.dll’.

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entries ‘DyFuCA’ and ‘DyFuCA Active Alerts’.

Now open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for the Iopti variant):

cd "%WinDir%\System"
regsvr32 /u ..\iopti130.dll

Or, for the Nem variant:

cd "%WinDir%\System"
regsvr32 /u ..\nem207.dll

Or, for the Wsem variant:

cd "%WinDir%\System"
regsvr32 /u ..\wsem210.dll

Restart the computer and you should be able to delete the DLL from the Windows folder, and the ‘DyFuCA’, ‘Internet Optimizer’ or ‘STWSI’ folder you may have inside Program Files. You can also delete the subkey ‘FCI’ in HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software to clean up if you like.

Description

InetSpeak is a Browser Helper Object that adds a non-removable band of advertising and/or links below the standard IE toolbars.

Variants

InetSpeak/BHO42602, first version;

InetSpeak/WindowsIE, updated version with different names (by ‘ESD Technologies’);

InetSpeak/Iexplorr, as WindowsIE but different filename and class ID. (There are at least three different subvariants, /A, /B and /C, which differ only in class ID.)

InetSpeak/Iexplorr2, InetSpeak/Iexplorr23: as before but a new filename as well as class ID.

InetSpeak/eBoom, version showing a search box and links to eboom.com.

Also known as

JaypeeSysBHO, by Ad-Aware, as the author given in the BHO42602 variant is ‘Jaypee Systems’. boombar, filename of eBoom variant.

Distribution

BHO42602 was included in Music Magnet, a free file-sharing program which appears to be a copy of Gnucleus. Installs just before the setup program is run.

The WindowsIE variant is known to have been distributed under the name ‘Free Morpheus Upgrade Suite’ as well as being bundled with later versions of Music Magnet and other software by the same authors.

The eBoom variant is an ActiveX drive-by-download on pages purporting to offer services like free e-mail and phone calls.

What it does

Advertising

Yes. Advertising and link content is fetched from the controlling servers (eg. musicmagnet.com, eboom.com) when a new page is loaded, and displayed on newly-opened IE windows.

Privacy violation

No. The servers currently do not attempt to track users (through cookies etc.), and the only targeting the adware has been observed to do is fetching a different ad page when it thinks porn sites are being browsed or searched for.

Security issues

None known.

Stability problems

None known.

Removal

There is no uninstall feature. Ad-Aware 5.81 and up, and Spybot S&D 0.95b6 and up can remove the BHO42602 variant.

Manual removal

The DLL responsible for InetSpeak is located in different places depending on variant. In installs from Music Magnet (BHO42602, WindowsIE), it is in the folder you chose to install the software from: by default this is ‘C:\Program Files\mm(some numeric date)’.

In the ‘Morpheus Upgrade’ release of InetSpeak/WindowsIE, the file is in C:\Windows instead. In the eBoom variant, the file is in the Internet Explorer folder (in C:\Program Files, regardless of whether that is the drive/folder you are using).

Before you can delete the file you must deregister it using the ‘regsvr32 /u’ command. Open up a DOS/command prompt window (Start -> Programs -> Accessories), and enter (for the BHO42602 variant):

Description

ILookup is an IE toolbar providing a search box and link buttons. It also adds bookmarks to the Favorites menu (mostly affiliate links) and hijacks the homepage, address bar search and sidebar search.

Variants

ILookup/Ineb is implemented by the file ineb.dll and connects to the site i-lookup.com.

ILookup/Gws is implemented by the file gws.dll and connects to the site globalwebsearch.com.

ILookup/Chgrgs is implemented by the file chgrgs.dll.

ILookup/Abeb is implemented by the file abeb.dll and connects to the site superwebsearch.com.

ILookup/Bmeb is implemented by the file bmeb.dll and connects to the site traffichog.com.

ILookup/Sbus is implemented by the file sbus.dll and connects to the site searchbus.com.

ILookup/Drbr is implemented by the file drbr.dll and connects to the site globaltoolbar.com.

Distribution

Installed by ActiveX drive-by-download, thought to be used on pop-ups.

What it does

Advertising

Yes. Periodically connects to its controlling server, which may direct it to open pop-up advertising, often porn-related.

Privacy violation

No.

Security issues

None known.

Stability problems

At least the Ineb and Drbr variants (possibly the others too) can cause error messages of the type “Explorer has caused an error in ineb.dll…”, when using both Internet Explorer and the Windows Explorer.

Removal

Open the ‘Downloaded Program Files’ folder in the Windows folder. Right-click the object called ‘I-Lookup.

Next, open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands. For the Ineb variant:

cd "%WinDir%\System"
regsvr32 /u Ineb.dll

Or for Gws:

cd "%WinDir%\System"
regsvr32 /u GWS.dll

Or for Chgrgs:

cd "%WinDir%\System"
regsvr32 /u Chgrgs.dll

Or for Abeb:

cd "%WinDir%\System"
regsvr32 /u abeb.dll

Or for Bmeb:

cd "%WinDir%\System"
regsvr32 /u bmeb.dll

Or for Sbus:

cd "%WinDir%\System"
regsvr32 /u sbus.dll

Or for Drbr:

cd "%WinDir%\System"
regsvr32 /u drbr.dll

Finally use Internet Options->Programs->Reset Web Settings to get the normal search sidebar back, reset your homepage, and delete the extra bookmarks added to the Favorites menu. If you like, you can also open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\ineb to clean up.

Description

IGetNet is a keyword-search service implemented as an IE Browser Helper Object and a process run at Windows start-up.

When you enter something into the address bar, IGetNet checks to see whether it includes keyword they have sold to one of their advertisers. If so, it redirects you to that site; if not it forwards you to a search engine using an IGetNet affiliate code. searchresult.net, qcksearch.com (which is apps.webservicehost.com) and overture.com have been seen to be used.

Variants

IGetNet/v4: original variant, installs files ‘BHO.DLL’, ‘rsp.dll’ and ‘Winstart.exe’ into the ‘System’ folder in the Windows folder. ‘Winstart.exe’, run at start-up, writes entries to the Hosts file to redirect all access to MSN or Netscape search sites through to IGetNet’s servers instead. (ignkeywords.com, rspsearch.com.)

IGetNet/v5: works the same as v4, but the files are now called ‘BHO001.DLL’, ‘rsp001.dll’ and ‘Winstart001.exe’ and they use new class IDs internally. You can tell if you have v5 as new IE windows will show the text ‘Enter Keyword or Web Address here’ in the address bar.

IGetNet/v6: same as v5 but has extra files.

IGetNet/ClearSearch: largely rewritten from the previous variants, this version will, every time the computer is started, remove older IGetNet variants, and any competitor search tool it finds. This includes the search-hijacking part of the parasites Xupiter, HuntBar/MSLink, CommonName, NewDotNet, and the iWon toolbar/search assistant and Netword, which are not currently known to be unsolicited commercial software.

Distribution

Bundled with P2P apps and software downloaded from ‘Blue Haven Media’, also installed by vCatch KazBlock and the FavoriteMan parasite. May also be installed by ActiveX drive-by-download on pop-up adverts.

IGetNet run an affiliate scheme at plugusin4cash.com to get third parties to install the software.

What it does

Advertising

No, other than unexpected redirects to advertiser sites when searching from the address bar.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary code from its controlling server, as a self-updating feature.

Stability problems

In v4-v6, may cause IEXPLORE.EXE to hang whilst shutting down. You will also be unable to contact the real auto.search.msn.com and search.netscape.com directly whilst IGetNet is installed due to the Hosts file alterations.

No problems known yet with ClearSearch.

Removal

There is no uninstall option.

Ad-Aware 5 can remove the v4 variant of the software, though you will still need to do edit the Hosts file manually as below. Spybot S&D update 2003-01-05 can remove both variants.

Manual removal

Before you can delete the software you must deregister its DLLs and stop it running at startup. Open a DOS command window (from Start->Programs->Accessories) and enter the commands (v4 variant):

Then open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run and delete the ‘WinStart’ (v4), ‘WinStart002’ (v5), ‘WinStart001.exe’ (v6) or ‘ClrSrcLoader’ (ClearSearch) entry.

Reboot the machine and you can delete the BHO, rsp and Winstart files from the Windows\System folder, or in the ClearSearch variant, just delete the ‘ClearSearch’ folder in Program Files.

v5 may also leave behind an installer called Install_All.dll in this folder, which you can delete. This attempts to remove the v4 variant of IGetNet before installing, but also disables the address-bar-search features of other programs, including NewDotNet, Xupiter and TargetWord.

v6 may also leave behind files Update_Hosts.DLL, Update_com.DLL, Update_BHO.DLL, Update_RSP.DLL, Update_RemoveOld.DLL and rules.dat, which can also be deleted.

You can also delete the registry key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Ie Rsp, (v4-v6 variants), or HKEY_LOCAL_MACHINE\SOFTWARE\CLRSCH (ClearSearch variant) to clean up if you like.

Next, find the Hosts file. This is called ‘HOSTS’ without a file extension (not Hosts.SAM); it is in the Windows folder on Windows 95/98/Me, or Windows\System32\drivers\etc\ on Windows NT/2000/XP. Open the file with a text editor (such as Notepad); if you have, or have previously had the v4-v6 variants, you will have these entries, which should be removed:

Description

When other search engines are used, it occasionally opens a pop-up alert window encouraging one to use the (now hijacked) search sidebar instead. (“For faster web searches press F9”)

Distribution

It is currently unknown where IETray comes from.

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

Stability problems

No.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u IEMsg.dll

Next, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry ‘CSRSS’ pointing at ‘csrss.exe’. You can also open the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt and delete the entries ‘&Define’ and ‘&Search the Web’.

Restart the computer and you should be able to delete the file ‘csrss.exe’ from the Windows folder, and ‘IEMsg.dll’ from the System folder (which is inside the Windows folder, called ‘System32’ on Windows NT/2000/XP). You can also delete ‘ERS_DEF.HTM’ and ‘ERS_SRC.HTM’ from the Web folder (insid the Windows folder).

Description

IEMonit is a search result hijacker implemented as an Internet Explorer Browser Helper object. It checks queries submitted to search engines for sex-related keywords. (Google, Yahoo, Lycos, AltaVista, Infospace and a variety of Polish search engines are targeted.)

Distribution

It is currently unknown where IEMonit comes from.

What it does

Advertising

Yes. May open advertisements when targeted keywords are entered.

Privacy violation

No.

Security issues

Yes. Includes an updater process which is believed to be able to download and execute arbitrary code from its controlling server. I currently have not obtained a copy of this to test, however.

Stability problems

No.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u iemonit.dll

Next, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry ‘Internet Explorer Library’ on the right, pointing to ‘ieupdates.exe’, ‘updaterie01.exe’ or ‘fixieupdate.exe’.

Restart the computer and you should be able to delete ‘iemonit.dll’ and ‘ieupdates.exe’/’updaterie01.exe’/’fixieupdate.exe’ from the System folder, which is inside the Windows folder (and is called ‘System32’ on Windows NT/2000/XP).

Description

IEAccess is an ActiveX control used to download and install premium-rate diallers, primarily for porn sites.

Variants

IEAccess/IEDial, IEAccess/HTMLAccess and IEAccess/HTMLDialer are broadly similar but use different filenames and IDs.

IEAccess/EGDial is based on IEAccess/HTMLDialer, with an extra file.

Also known as

eGroup, by Spybot S&D, from the name of its makers.

Distribution

Installed by ActiveX drive-by-download by porn-related pages from nocreditcard.net and sex-explorer.com, which may be opened or redirected to by pop-up advertising.

The IEDial variant is known to be installed automatically, without prompting, on Internet Explorer versions earlier than IE6 Service Pack 1, thanks to a security hole. The installer pages exploit this to run an EXE which adds ‘Electronic Group’ to the list of trusted publishers whose software IE will install automatically without asking.

Electronic Group are also known to distribute at least two other types of stealth-installed dialer, StripPlayer and DialerOffline.

What it does

Advertising

No.

Privacy violation

No.

Security issues

It is suspected that it may be possible to use an IEAccess ActiveX control on any web page to cause arbitrary unsigned code to be executed. IEAccess/EGDial may also install the MagicControl parasite.

This does not actually get rid of the software, so open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for the IEDial variant:

cd "%WinDir%\System"
regsvr32.exe /u IEAccess2.dll

Or, for the HTMLAccess variant:

cd "%WinDir%\System"
regsvr32.exe /u DHTMLAccess.dll

Or, for the HTMLDialer variant:

cd "%WinDir%\System"
regsvr32.exe /u EGHTMLDialer.dll

Or, for the EGDial variant, you’ll need to find out the filename of the DLL responsible. Open the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT, 2000 and XP), and look for a filename beginning ‘EGDHTML’; known filenames include ‘EGDHTML_1015.dll’, ‘EGDHTML_1017.dll’ and ‘EGDHTML_1019.dll’. Enter the following commands, substituting the correct number:

cd "%WinDir%\System"
regsvr32.exe /u EGDHTML_1019.dll

You can now delete the ‘IEAccess2.dll’ (IEAccess variant), ‘DHTMLAccess.dll’ (HTMLAccess), ‘EGHTMLDialer.dll’ (HTMLDialer) or ‘EGDHTML_number.dll’ (EGDial) file in the System folder (which is inside the Windows folder, called ‘System32’ on Windows NT, 2000 and XP, or just ‘System’ on Windows 95, 98 and Me.) The EGDial variant also sometimes leaves ‘EGDial.dll’ in the System folder; this too can be deleted.

Next open the registry (Start->Run->regedit) and delete the key ‘HKEY_CURRENT_USER\Software\egroup’.

Finally, check whether Electronic Group have been added to your Trusted Publishers list – at least the IEDial and EGDial variants have been seen to do this. Open Internet Options->Content->Certificates->Publishers. Delete the entry if it is there, then open the registry (Start->Run->regedit) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database. Delete the entry with the value ‘ELECTRONIC GROUP’.

IEAccess may have downloaded one or more unwanted diallers. Sometimes these may appear in an ‘eGroup’ folder in the Windows folder, as well as entries the more usual Program Files folder. Check and delete any diallers you find.